On 01/10/15 16:20, Toke Høiland-Jørgensen wrote: > Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> writes: > >> This patch stops SIGHUP from enabling dnssec timechecks if disabled by >> use of --dnssec-no-timecheck option. --dnssec-timestamp continues to >> work correctly. > I'd argue that patching dnsmasq in this way is the wrong way to fix > this. If you're worried about that DOS vector, don't use > --dnssec-no-timecheck but rather use --dnssec-timestamp. Hi Toke, small world :-)
Could I kindly ask you to read https://patchwork.ozlabs.org/patch/521344/ particularly with regards to Yousong's comments. You'll hopefully appreciate the irony of your suggestion and how things (by which I mean 'I') have been sent on a bit of a merry-go-round of late. > > Also, in a scenario where --dnssec-no-timecheck is used, the expectation > is that the time will be fixed in fairly short order (i.e. as soon as > NTP syncs up), so the potential for this being a DOS vector is rather > small I would say... And if you can SIGHUP the process you can also > SIGKILL it. > > -Toke I couldn't agree more. But in order to cover one's backside AND because SIGHUP is used for multiple things, e.g. poking dnsmasq to get it to re-read some files, there's a possibility that it could be poked to re-read config files (good) but with a side effect of checking dnssec timestamps at exactly the wrong moment ie. before time is made correct (bad) I think I'm actually trying to be helpful but I'm stepping off now before I .....well I'm not sure what before, but just before ;-) Back to sqm. Kevin
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
